AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
AuTo Stealer can use HTTP to communicate with its C2 servers.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
AuTo Stealer can use |
| Enterprise | T1005 | Data from Local System |
AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
AuTo Stealer can store collected data from an infected host to a file named |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
AuTo Stealer can use TCP to communicate with command and control servers.[1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
AuTo Stealer has the ability to collect information about installed AV products from an infected host.[1] |
| Enterprise | T1082 | System Information Discovery |
AuTo Stealer has the ability to collect the hostname and OS information from an infected host.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
AuTo Stealer has the ability to collect the username from an infected host.[1] |
|